Organizations are quickly discovering that a "one size fits all" approach to security across the network falls short of addressing the unique trends in the Data Center. So what's really that unique about the Data Center (DC)? This is a multi-part blog to highlight various trends related to securing the DC, with Part One focusing on traffic trends.
Traffic in the Data Center generally flows in three directions. "North-South" traffic is limited to traffic that enters and exits the DC. It is the sort of traffic that most DC security solutions focus on as it crosses the DC boundary. "East-West" traffic, on the other hand, flows between DC devices and applications and never leaves the DC. Finally, there is "Inter-DC" traffic, which flows between multiple DCs, and between DCs and the private/public cloud.
Cisco's Global Cloud Index tells us that, unlike in campus networks, the dominant volume of traffic in the DC traverses in an "East-West" direction (76%), followed by "North-South" traffic (17%), and finally, inter-DC traffic, which is currently comprises only at 7%, but is gradually growing. In campus networks, traffic is primarily (90+%) "North-South"traffic.
Why is this important? To understand the relevance of this unique mix of DC traffic from a security perspective, one needs to understand its key drivers. "East-West" traffic is primarily comprised of communication between applications hosted on physical and virtual machines, and VM to VM interactions within the DC. "North-South" traffic is primarily composed of traffic that enters and exits the DC, and generally includes queries, commands, and specific data either being retrieved or stored. As the name implies, "Inter-DC" traffic is largely comprised of resource optimization and disaster recovery requirements between dispersed DCs and between DCs and the private/public cloud.
To enforce policy on traffic flowing in an east-west direction, organizations have traditionally re-purposed bulky hardware originally designed as Internet edge gateways to monitor ingress/egress traffic (North-South). To accomplish this, traffic is often rerouted out of the data center for inspection and then rerouted back into its data path, a process known as hair-pinning. The reason for pursuing this circuitous route has been due to:
The challenge with artificially hair-pinning internal DC traffic out of the DC for inspection, versus directing traffic across the shortest and most optimal east-west path, is that it:
With the introduction of the ASAv (Adaptive Security Virtual Appliance), Cisco has rounded out a comprehensive suite of best of breed virtualized security services designed specifically for DC environments that include: Firewalling, NGFW, NGIPS, VPN, Email, and Web security services. The goal is to be able to apply the right security services as close as possible to the transaction, provide adequate and dynamic scalability, and deliver unmatched resiliency within the DC. So let's drill down to understand how this can be accomplished, specifically with regards to firewall services provided by the ASAv, but with the understanding that these same capabilities need to go well beyond firewalling.
The ASAv expands security deployment options in the DC by:
ASAv is an exciting development that increases flexibility and integration opportunities. If you are in San Francisco this week for Cisco Live! make sure to stop by the Security booth for a demo. If you are not able to attend, check out the keynotes and keep up with the latest announcements via our Cisco Live Virtual Experience. There are many, many more announcements coming from Cisco Security this week!